5

When thinking about which messaging solution to use on my new "smart"phone I reflexively tended towards open source products, figuring that I could trust these more to actually provide the security they promise.

Now that I have decided which to use and installed the app from an app store, I have been asking myself: even if I had checked the source code (I'll admit I have just been assuming that someone did), how could I know that that is what I installed?

I see at least two potential attack vectors:

  1. The app provider can ship different code than what they publish (e.g. via Github).
  2. The app store owner (i.e. Google, Apple, ...) can change the shipped code.

I estimate that as little as one or two extra (or missing) lines can render even the most solid setup completely open to attack without the user being the wiser.

So, is there a way (preferably an automated one) to verify that the apk I downloaded from the app store matches the code I can see elsewhere?

Raphael
  • 265
  • 2
  • 7

2 Answers2

2

Here is an idea of how you could verify the integrity of source code in a binary package:

Download the apk from a distributer, such as Google Play, and store the apk locally. Then compile the source code into an apk to create a sort-of identical version of the app.

Then do a binary comparison of 2 apk files and look for any differences and note their location. Then, disssemble both items with a tool such as IDA Pro and mnually check what the differences in the code are.

You can expect some differences, because the signing certificates wont match, but the underlying code should be the same, if not identical.

As an example, you might see that google version of the app has several functions that are not present in source, which can indicate some modifications to the original source.

user4294507
  • 333
  • 1
  • 2
  • I've always been under the impression that all .apk files can easily be restored to the original Java code as Java is easily decompiled, unlike C. Is this not the case? – tlng05 Jan 09 '15 at 23:06
  • I am not sure on the exact details of java compilation process, but I would assume that it uses some form of bytecode, which would enable support for different operating systems. In that case you are right, the bytecode can be used to reconstruct the presumed original source code, which is known as decompilation. I would assume that decompiled and original source files would have some differences, but it would surely make the process of finding changes to the program easier, as you would see exact lines that are different. – user4294507 Jan 11 '15 at 06:29
  • @user4294507 Java *can* be decompiled, but not perfectly. Some information is no longer there in Bytecode, and names of things may get lost. – Raphael Jan 12 '15 at 12:05
0

The F-Droid App store provides Open Source apps that are often built by F-Droid (choose a source build).

This requires you to trust F-Droid not to be tampering with the apk they provide (voluntarily or by getting compromised), but removes the evil-developer tampering.

If you do not want to trust any app store, you will need to build the apps yourself. Otherwise, you need to trust someone.

Ángel
  • 17,578
  • 3
  • 25
  • 60